The judges said both the collection and holding of
personal data breached people’s right to privacy. Photograph: Andrew
Bret Wallis/Getty Images

British security agencies have
secretly and unlawfully collected massive volumes of confidential
personal data, including financial information, on citizens for more
than a decade, senior judges have ruled.

The investigatory powers tribunal, which is the only court that
hears complaints against MI5, MI6 and GCHQ, said the security services
operated an illegal regime to collect vast amounts of communications
data, tracking individual phone and web use and other confidential
personal information, without adequate safeguards or supervision for
17 years.

Privacy campaigners described the ruling as “one of the most
significant indictments of the secret use of the government’s mass
surveillance powers” since Edward Snowden first began exposing the
extent of British and American state digital surveillance of citizens
in 2013.

The tribunal said the regime governing the collection of bulk
communications data (BCD) – the who, where, when and what of personal
phone and web communications – failed to comply with article 8
protecting the right to privacy of the European convention of human
rights (ECHR) between 1998, when it started, and 4 November 2015, when
it was made public.

It added that the retention of of bulk personal datasets (BPD) –
which might include medical and tax records, individual biographical
details, commercial and financial activities, communications and
travel data – also failed to comply with article 8 for the decade it
was in operation until it was publicly acknowledged in March 2015.

“The BPD regime failed to comply with the ECHR principles which we
have above set out throughout the period prior to its avowal in March
2015. The BCD regime failed to comply with such principles in the
period prior to its avowal in November 2015, and the institution of a
more adequate system of supervision as at the same date,” the ruling
concluded.

The ruling comes as the House of Lords is debating the final stages
of the investigatory powers bill – the snooper’s charter – which will
put the security services’ mass digital surveillance on a clear legal
footing for the first time.

Diane Abbott, the shadow home secretary, said the ruling was “a
sharp reminder” that the “draconian bill” – which Labour has abstained
on so far – needed amending to ensure that surveillance powers should
not be lightly handed over to the security services without greater
accountability.

The investigatory powers bill will put mass digital surveillance
activities on a clear legal footing for the first time since Snowden’s
disclosure.

Chaired by Mr Justice Burton, the IPT ruling revealed that security
agency staff had been sent internal warnings not to use the databases
containing the vast collections of information to search for or access
details “about other members of staff, neighbours, friends,
acquaintances, family members and public figures”.

It also revealed concerns within the security agencies about the
secretive nature of their bulk data collection activities.

In February 2010, a Mr Hannigan, then of the Cabinet Office, wrote:
“It is difficult to assess the extent to which the public is aware of
agencies’ holding and exploiting in-house personal bulk datasets,
including data on individuals of no intelligence interest … Although
existing legislation allows companies and UK government departments to
share personal data with the agencies if necessary in the interests of
national security, the extent to which this sharing takes place may
not be evident to the public.” It is not clear from the ruling if this
is Robert Hannigan, who went on to run surveillance agency GCHQ from
2014.

The campaign group Privacy International said the ruling showed
that despite this warning internal oversight failed to prevent the
highly sensitive databases being treated like Facebook to check on
birthdays, and “very worryingly” on family members for “personal
reasons”.

The IPT ruling included the disclosure from an unpublished 2010 MI5
policy statement that the BPDs included material on the nation’s
personal financial activities. “The fact that the service holds bulk
financial, albeit anonymised, data is assessed to be a high corporate
risk, since there is no public expectation that the service will hold
or have access to this data in bulk. Were it to become widely known
that the service held this data, the media response would most likely
be unfavourable and probably inaccurate,” it said.

The legal challenge centred on the acquisition, use, retention and
disclosure by the security services of BCD under section 94 of the
Telecommunications Act 1984 and the use of BPDs under a variety of
legal powers. The tribunal noted the highly secretive nature of the
communications data regime, saying “it seems difficult to conclude
that the use of BCD was foreseeable by the public when it was not
explained to parliament”.

Mark Scott, of Bhatt Murphy Solicitors, who was instructed by
Privacy International in the legal challenge, said: “This judgment
confirms that for over a decade UK security services unlawfully
concealed both the extent of their surveillance capabilities and that
innocent people across the country have been spied upon.”

She said the use of BCD carried huge risks. “It facilitates the
almost instantaneous cataloguing of entire populations’ personal data.
It is unacceptable that it is only through litigation by a charity
that we have learnt the extent of these powers and how they are used.

“The public and parliament deserve an explanation as to why
everyone’s data was collected for over a decade without oversight in
place and confirmation that unlawfully obtained personal data will be
destroyed.”

Privacy International said the judgment did not specify whether the
unlawfully obtained, sensitive personal data would be deleted.

A government spokesperson said the ruling showed that the regimes
used to hold and collect data since March and November 2015
respectively were legal.

“The powers available to the security and intelligence agencies
play a vital role in protecting the UK and its citizens. We are
therefore pleased the tribunal has confirmed the current lawfulness of
the existing bulk communications data and bulk personal dataset
regimes.

“Through the investigatory powers bill, the government is committed
to providing greater transparency and stronger safeguards for all of
the bulk powers available to the agencies.”

Abbott said the disclosure of unlawful activity was shocking: “No
one is above the law and the security services must be held to account
on this. This scandal also has wider political implications,” she said
adding that the bill places “far too much power in the hands of the
police and politicians without judicial oversight and diminishes the
rights of the citizens”.

“I myself have been a victim of unjustified surveillance over a
number of years. To this day I have been given no indication as to
whom approved this surveillance and why,” she said.